search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
printing: use const in is_printer_published
[Samba.git] / source4 / auth / ntlmssp / ntlmssp_server.c
blob9db3b560c1067162e78035cf796be86a137bc1f6
1 /*
2 Unix SMB/Netbios implementation.
3 Version 3.0
4 handle NLTMSSP, client server side parsing
5
6 Copyright (C) Andrew Tridgell 2001
7 Copyright (C) Andrew Bartlett <abartlet@samba.org> 2001-2005
8 Copyright (C) Stefan Metzmacher 2005
9
10 This program is free software; you can redistribute it and/or modify
11 it under the terms of the GNU General Public License as published by
12 the Free Software Foundation; either version 3 of the License, or
13 (at your option) any later version.
14
15 This program is distributed in the hope that it will be useful,
16 but WITHOUT ANY WARRANTY; without even the implied warranty of
17 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
18 GNU General Public License for more details.
19
20 You should have received a copy of the GNU General Public License
21 along with this program. If not, see <http://www.gnu.org/licenses/>.
22 */
23
24 #include "includes.h"
25 #include "system/network.h"
26 #include "lib/tsocket/tsocket.h"
27 #include "auth/ntlmssp/ntlmssp.h"
28 #include "../librpc/gen_ndr/ndr_ntlmssp.h"
29 #include "../libcli/auth/ntlmssp_ndr.h"
30 #include "../libcli/auth/ntlmssp_private.h"
31 #include "../libcli/auth/libcli_auth.h"
32 #include "../lib/crypto/crypto.h"
33 #include "auth/gensec/gensec.h"
34 #include "auth/gensec/gensec_proto.h"
35 #include "auth/auth.h"
36 #include "param/param.h"
37
38 /**
39 * Next state function for the Negotiate packet (GENSEC wrapper)
40 *
41 * @param gensec_security GENSEC state
42 * @param out_mem_ctx Memory context for *out
43 * @param in The request, as a DATA_BLOB. reply.data must be NULL
44 * @param out The reply, as an allocated DATA_BLOB, caller to free.
45 * @return Errors or MORE_PROCESSING_REQUIRED if (normal) a reply is required.
46 */
47
48 NTSTATUS gensec_ntlmssp_server_negotiate(struct gensec_security *gensec_security,
49 TALLOC_CTX *out_mem_ctx,
50 const DATA_BLOB request, DATA_BLOB *reply)
51 {
52 struct gensec_ntlmssp_context *gensec_ntlmssp =
53 talloc_get_type_abort(gensec_security->private_data,
54 struct gensec_ntlmssp_context);
55 struct ntlmssp_state *ntlmssp_state = gensec_ntlmssp->ntlmssp_state;
56 return ntlmssp_server_negotiate(ntlmssp_state, out_mem_ctx, request, reply);
57 }
58
59 /**
60 * Next state function for the Authenticate packet (GENSEC wrapper)
61 *
62 * @param gensec_security GENSEC state
63 * @param out_mem_ctx Memory context for *out
64 * @param in The request, as a DATA_BLOB. reply.data must be NULL
65 * @param out The reply, as an allocated DATA_BLOB, caller to free.
66 * @return Errors or NT_STATUS_OK if authentication sucessful
67 */
68
69 NTSTATUS gensec_ntlmssp_server_auth(struct gensec_security *gensec_security,
70 TALLOC_CTX *out_mem_ctx,
71 const DATA_BLOB in, DATA_BLOB *out)
72 {
73 struct gensec_ntlmssp_context *gensec_ntlmssp =
74 talloc_get_type_abort(gensec_security->private_data,
75 struct gensec_ntlmssp_context);
76 struct ntlmssp_state *ntlmssp_state = gensec_ntlmssp->ntlmssp_state;
77 return ntlmssp_server_auth(ntlmssp_state, out_mem_ctx, in, out);
78 }
79
80 /**
81 * Return the challenge as determined by the authentication subsystem
82 * @return an 8 byte random challenge
83 */
84
85 static NTSTATUS auth_ntlmssp_get_challenge(const struct ntlmssp_state *ntlmssp_state,
86 uint8_t chal[8])
87 {
88 struct gensec_ntlmssp_context *gensec_ntlmssp =
89 talloc_get_type_abort(ntlmssp_state->callback_private,
90 struct gensec_ntlmssp_context);
91 struct auth_context *auth_context = gensec_ntlmssp->auth_context;
92 NTSTATUS status;
93
94 status = auth_context->get_challenge(auth_context, chal);
95 if (!NT_STATUS_IS_OK(status)) {
96 DEBUG(1, ("auth_ntlmssp_get_challenge: failed to get challenge: %s\n",
97 nt_errstr(status)));
98 return status;
99 }
100
101 return NT_STATUS_OK;
102 }
103
104 /**
105 * Some authentication methods 'fix' the challenge, so we may not be able to set it
106 *
107 * @return If the effective challenge used by the auth subsystem may be modified
108 */
109 static bool auth_ntlmssp_may_set_challenge(const struct ntlmssp_state *ntlmssp_state)
110 {
111 struct gensec_ntlmssp_context *gensec_ntlmssp =
112 talloc_get_type_abort(ntlmssp_state->callback_private,
113 struct gensec_ntlmssp_context);
114 struct auth_context *auth_context = gensec_ntlmssp->auth_context;
115
116 return auth_context->challenge_may_be_modified(auth_context);
117 }
118
119 /**
120 * NTLM2 authentication modifies the effective challenge,
121 * @param challenge The new challenge value
122 */
123 static NTSTATUS auth_ntlmssp_set_challenge(struct ntlmssp_state *ntlmssp_state, DATA_BLOB *challenge)
124 {
125 struct gensec_ntlmssp_context *gensec_ntlmssp =
126 talloc_get_type_abort(ntlmssp_state->callback_private,
127 struct gensec_ntlmssp_context);
128 struct auth_context *auth_context = gensec_ntlmssp->auth_context;
129 NTSTATUS nt_status;
130 const uint8_t *chal;
131
132 if (challenge->length != 8) {
133 return NT_STATUS_INVALID_PARAMETER;
134 }
135
136 chal = challenge->data;
137
138 nt_status = auth_context->set_challenge(auth_context,
139 chal,
140 "NTLMSSP callback (NTLM2)");
141
142 return nt_status;
143 }
144
145 /**
146 * Check the password on an NTLMSSP login.
147 *
148 * Return the session keys used on the connection.
149 */
150
151 static NTSTATUS auth_ntlmssp_check_password(struct ntlmssp_state *ntlmssp_state,
152 TALLOC_CTX *mem_ctx,
153 DATA_BLOB *user_session_key, DATA_BLOB *lm_session_key)
154 {
155 struct gensec_ntlmssp_context *gensec_ntlmssp =
156 talloc_get_type_abort(ntlmssp_state->callback_private,
157 struct gensec_ntlmssp_context);
158 struct auth_context *auth_context = gensec_ntlmssp->auth_context;
159 NTSTATUS nt_status;
160 struct auth_usersupplied_info *user_info;
161
162 user_info = talloc_zero(ntlmssp_state, struct auth_usersupplied_info);
163 if (!user_info) {
164 return NT_STATUS_NO_MEMORY;
165 }
166
167 user_info->logon_parameters = MSV1_0_ALLOW_SERVER_TRUST_ACCOUNT | MSV1_0_ALLOW_WORKSTATION_TRUST_ACCOUNT;
168 user_info->flags = 0;
169 user_info->mapped_state = false;
170 user_info->client.account_name = ntlmssp_state->user;
171 user_info->client.domain_name = ntlmssp_state->domain;
172 user_info->workstation_name = ntlmssp_state->client.netbios_name;
173 user_info->remote_host = gensec_get_remote_address(gensec_ntlmssp->gensec_security);
174
175 user_info->password_state = AUTH_PASSWORD_RESPONSE;
176 user_info->password.response.lanman = ntlmssp_state->lm_resp;
177 user_info->password.response.lanman.data = talloc_steal(user_info, ntlmssp_state->lm_resp.data);
178 user_info->password.response.nt = ntlmssp_state->nt_resp;
179 user_info->password.response.nt.data = talloc_steal(user_info, ntlmssp_state->nt_resp.data);
180
181 nt_status = auth_context->check_password(auth_context,
182 gensec_ntlmssp,
183 user_info,
184 &gensec_ntlmssp->user_info_dc);
185 talloc_free(user_info);
186 NT_STATUS_NOT_OK_RETURN(nt_status);
187
188 if (gensec_ntlmssp->user_info_dc->user_session_key.length) {
189 DEBUG(10, ("Got NT session key of length %u\n",
190 (unsigned)gensec_ntlmssp->user_info_dc->user_session_key.length));
191 *user_session_key = gensec_ntlmssp->user_info_dc->user_session_key;
192 talloc_steal(mem_ctx, user_session_key->data);
193 gensec_ntlmssp->user_info_dc->user_session_key = data_blob_null;
194 }
195 if (gensec_ntlmssp->user_info_dc->lm_session_key.length) {
196 DEBUG(10, ("Got LM session key of length %u\n",
197 (unsigned)gensec_ntlmssp->user_info_dc->lm_session_key.length));
198 *lm_session_key = gensec_ntlmssp->user_info_dc->lm_session_key;
199 talloc_steal(mem_ctx, lm_session_key->data);
200 gensec_ntlmssp->user_info_dc->lm_session_key = data_blob_null;
201 }
202 return nt_status;
203 }
204
205 /**
206 * Return the credentials of a logged on user, including session keys
207 * etc.
208 *
209 * Only valid after a successful authentication
210 *
211 * May only be called once per authentication.
212 *
213 */
214
215 NTSTATUS gensec_ntlmssp_session_info(struct gensec_security *gensec_security,
216 struct auth_session_info **session_info)
217 {
218 NTSTATUS nt_status;
219 struct gensec_ntlmssp_context *gensec_ntlmssp =
220 talloc_get_type_abort(gensec_security->private_data,
221 struct gensec_ntlmssp_context);
222 struct ntlmssp_state *ntlmssp_state = gensec_ntlmssp->ntlmssp_state;
223
224 nt_status = gensec_generate_session_info(ntlmssp_state,
225 gensec_security,
226 gensec_ntlmssp->user_info_dc,
227 session_info);
228 NT_STATUS_NOT_OK_RETURN(nt_status);
229
230 (*session_info)->session_key = data_blob_talloc(*session_info,
231 ntlmssp_state->session_key.data,
232 ntlmssp_state->session_key.length);
233
234 return NT_STATUS_OK;
235 }
236
237 /**
238 * Start NTLMSSP on the server side
239 *
240 */
241 NTSTATUS gensec_ntlmssp_server_start(struct gensec_security *gensec_security)
242 {
243 NTSTATUS nt_status;
244 struct ntlmssp_state *ntlmssp_state;
245 struct gensec_ntlmssp_context *gensec_ntlmssp;
246
247 nt_status = gensec_ntlmssp_start(gensec_security);
248 NT_STATUS_NOT_OK_RETURN(nt_status);
249
250 gensec_ntlmssp = talloc_get_type_abort(gensec_security->private_data,
251 struct gensec_ntlmssp_context);
252 ntlmssp_state = gensec_ntlmssp->ntlmssp_state;
253
254 ntlmssp_state->role = NTLMSSP_SERVER;
255
256 ntlmssp_state->expected_state = NTLMSSP_NEGOTIATE;
257
258 ntlmssp_state->allow_lm_key = (lpcfg_lanman_auth(gensec_security->settings->lp_ctx)
259 && gensec_setting_bool(gensec_security->settings, "ntlmssp_server", "allow_lm_key", false));
260
261 ntlmssp_state->neg_flags =
262 NTLMSSP_NEGOTIATE_NTLM | NTLMSSP_NEGOTIATE_VERSION;
263
264 ntlmssp_state->lm_resp = data_blob(NULL, 0);
265 ntlmssp_state->nt_resp = data_blob(NULL, 0);
266
267 if (gensec_setting_bool(gensec_security->settings, "ntlmssp_server", "128bit", true)) {
268 ntlmssp_state->neg_flags |= NTLMSSP_NEGOTIATE_128;
269 }
270
271 if (gensec_setting_bool(gensec_security->settings, "ntlmssp_server", "56bit", true)) {
272 ntlmssp_state->neg_flags |= NTLMSSP_NEGOTIATE_56;
273 }
274
275 if (gensec_setting_bool(gensec_security->settings, "ntlmssp_server", "keyexchange", true)) {
276 ntlmssp_state->neg_flags |= NTLMSSP_NEGOTIATE_KEY_EXCH;
277 }
278
279 if (gensec_setting_bool(gensec_security->settings, "ntlmssp_server", "alwayssign", true)) {
280 ntlmssp_state->neg_flags |= NTLMSSP_NEGOTIATE_ALWAYS_SIGN;
281 }
282
283 if (gensec_setting_bool(gensec_security->settings, "ntlmssp_server", "ntlm2", true)) {
284 ntlmssp_state->neg_flags |= NTLMSSP_NEGOTIATE_NTLM2;
285 }
286
287 if (gensec_security->want_features & GENSEC_FEATURE_SIGN) {
288 ntlmssp_state->neg_flags |= NTLMSSP_NEGOTIATE_SIGN;
289 }
290 if (gensec_security->want_features & GENSEC_FEATURE_SEAL) {
291 ntlmssp_state->neg_flags |= NTLMSSP_NEGOTIATE_SEAL;
292 }
293
294 gensec_ntlmssp->auth_context = gensec_security->auth_context;
295
296 ntlmssp_state->get_challenge = auth_ntlmssp_get_challenge;
297 ntlmssp_state->may_set_challenge = auth_ntlmssp_may_set_challenge;
298 ntlmssp_state->set_challenge = auth_ntlmssp_set_challenge;
299 ntlmssp_state->check_password = auth_ntlmssp_check_password;
300 if (lpcfg_server_role(gensec_security->settings->lp_ctx) == ROLE_STANDALONE) {
301 ntlmssp_state->server.is_standalone = true;
302 } else {
303 ntlmssp_state->server.is_standalone = false;
304 }
305
306 ntlmssp_state->server.netbios_name = lpcfg_netbios_name(gensec_security->settings->lp_ctx);
307
308 ntlmssp_state->server.netbios_domain = lpcfg_workgroup(gensec_security->settings->lp_ctx);
309
310 {
311 char dnsdomname[MAXHOSTNAMELEN], dnsname[MAXHOSTNAMELEN];
312
313 /* Find out the DNS domain name */
314 dnsdomname[0] = '\0';
315 safe_strcpy(dnsdomname, lpcfg_dnsdomain(gensec_security->settings->lp_ctx), sizeof(dnsdomname) - 1);
316
317 /* Find out the DNS host name */
318 safe_strcpy(dnsname, ntlmssp_state->server.netbios_name, sizeof(dnsname) - 1);
319 if (dnsdomname[0] != '\0') {
320 safe_strcat(dnsname, ".", sizeof(dnsname) - 1);
321 safe_strcat(dnsname, dnsdomname, sizeof(dnsname) - 1);
322 }
323 strlower_m(dnsname);
324
325 ntlmssp_state->server.dns_name = talloc_strdup(ntlmssp_state,
326 dnsname);
327 NT_STATUS_HAVE_NO_MEMORY(ntlmssp_state->server.dns_name);
328
329 ntlmssp_state->server.dns_domain = talloc_strdup(ntlmssp_state,
330 dnsdomname);
331 NT_STATUS_HAVE_NO_MEMORY(ntlmssp_state->server.dns_domain);
332 }
333
334 return NT_STATUS_OK;
335 }
336
Samba GIT mirror